Risk Management Key To Foiling Terrorist Plots

As the search in the wreckage of the World Trade Center and Pentagon shifted from survivors to bodies, and as the United States prepared to dig in for a long war against terrorism, questions persisted about whether routine efforts to recognize and communicate potential warning signs could have averted disaster.

Could the FBI, in the weeks before the Sept. 11 attack, have alerted other agencies, including the FAA, that it was investigating suspicious behavior on the part of some of the alleged hijackers? Could airline employees have noticed anything unusual about a one-way ticket for a transcontinental flight paid for in cash, or multiple tickets charged to a single credit card? Could Air Force fighters have taken off as soon as American Airlines Flight 11-the first plane to slam into the twin towers-veered off course?

The question of why alarm bells didn't go off sooner, or at all, will be debated for years. But in the aftermath of the worst criminal act in American history, airlines and others entrusted with people's lives are likely to adopt some of the risk management techniques employed by banks, experts said.

"Things that could have been done weren't," said Jim Eckenrode, head of consumer banking research at TowerGroup. "Investments in technologies that banks have made related to fraud detection in real-time may be useful in other industries."

Prodded in part by Congress, many banks have installed money laundering detection systems from vendors such as Americas Software, Atchley Systems, Prime Associates and SearchSpace (see BS&T May 2001 cover story). Bank of New York became a SearchSpace client after experiencing millions of dollars in losses from money laundering schemes. SearchSpace features an artificial intelligence engine that uses pattern recognition techniques to smoke out unusual activities. FleetBoston's Financial Intelligence Unit is split between a centralized profiling and monitoring group, a financial analysis group, and an investigations and reporting group. And Deutsche Bank uses db-Tracker, an internally-developed, account-based monitoring system that identifies unusual correspondent account activity.

These and similar systems could be used to thwart terrorists.

And as investigators pored through banking records and credit card transactions to trace the hijackers' steps, the U.S. Treasury announced the establishment of an interagency team dedicated to the disruption of terrorist fundraising. The team, which is to be transformed into a permanent Foreign Terrorist Asset Tracking Center within the Office of Foreign Asset Control (OFAC), is designed to identify foreign terrorist groups and their sources and methods of fundraising.

Had such an operation been in place prior to Sept. 11, it might have been able to trace unusual stock trading activity, such as the taking of short positions in major reinsurance companies, back to Osama bin Laden. "Apparently bin Laden was shorting all over the place," said Eckenrode. "Isn't it ironic that he was using our system to fund the very operation to destroy it?"

Banks use a wide range of fraud detection techniques, employing both human judgment and sophisticated data modeling, in their credit card and other lending areas. Some systems distill expert knowledge into a set of rules that can be applied to each transaction ("rules-based systems"). HNC Software's Falcon uses neural-network techniques to build models of complex transaction patterns such as consumer credit card fraud. The models are "trained" to recognize patterns through an iterative process in which large numbers of transactions are passed through a neural network algorithm. Once training is complete, the neural network uses these learned patterns to predict the probability that a new individual will exhibit the modeled transaction patterns.

On the day of the attacks in New York and Washington, HNC released a version of its Falcon fraud detection system designed specifically for money laundering.

In addition to detecting fraud, predictive software solutions play a key role in other business functions. For example, within a customer relationship management (CRM) system, predictive software analyzes customer data and other information to predict what the customer will do today and in the future. ERP systems provide transaction level data that can be analyzed by predictive software solutions to optimize inventory management and enhance supply chain logistics. When predictive software is embedded in a real-time transaction stream, it can yield intelligence, enabling companies to adjust their business strategies.

Yet the effectiveness of predictive software in fraud detection or other applications has been limited by access to data. "Extracting transaction level data and analyzing it in real time is difficult," said Eckenrode. In the United States, he noted, heavy reliance on paper checks has hindered banks' conversion to real-time core systems. "Certain segments of the business like credit cards can do that, but branch level activity is going to be difficult."

Data is the key ingredient in risk management systems, which by definition attempt to predict the likelihood of unforeseen events, such as a sharp drop in securities prices (market risk), a loan default (credit risk), or natural and man-made disasters (operational risk).

Market and credit risk systems are blessed with rich sources of data, and hence are fairly robust. But operational risk is harder to quantify. Cases of rogue employees taking down firms, such as Nick Leeson at Barings Bank, or of major systems being compromised are rare and seldom publicized.

"It's hard to define a statistically significant populace of fraud or the sorts of debacles that could bring down firms," said Peter Keppler, a research analyst at Meridien Research.

Fundamental to the art of risk management is stress testing-exposing portfolios to the worst scenarios imaginable and observing the results. The events of Sept. 11 provide a benchmark against which all scenarios will be measured.

"Unfortunately, what this will give us is another scenario for stress testing," said Keppler. "Pick the worst scenario you can think of and make it three times worse."